In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Cross-Site Scripting (XSS) Vulnerability in CKEditor WYSIWYG for Gravity Forms

The changelog entry for version 1.14.0 of the plugin CKEditor WYSIWYG for Gravity Forms is:

Fix: Upgrade CKEditor to 4.9.2. Includes security patch to resolve XSS vulnerability https://ckeditor.com/blog/CKEditor-4.9.2-with-a-security-patch-released/

Looking at the information in the URL mentioned in that though we found that the vulnerability only impacts usage of CKEditor when the Enhanced Image (image2) plugin is included:

CKEditor 4.9.2 fixes an XSS vulnerability in the Enhanced Image (image2) plugin reported by Kyaw Min Thein. The vulnerability stemmed from the fact that it was possible to execute XSS inside CKEditor using the <img> tag and specially crafted HTML.

Please note that the default presets (Basic/Standard/Full) do not include this plugin, so you are only at risk if you made a custom build and enabled this plugin.

CKEditor WYSIWYG for Gravity Forms doesn’t include that, so there wasn’t a vulnerability previously in the plugin.